More and more government organizations are considering moving larger and larger portions of their data to the cloud. This transformation eventually allow agencies to deliver services faster and more efficiently to customers and employees by a variety of methods. The 2019 Oracle and KPMG Cloud Threat Report stated that over 50% of participating North American organizations (government and otherwise) already have 26% or more of their data in the cloud, and 49% of all respondents expect to store the majority of their data in a public cloud by 2020.
Though it seems like a very popular move, an agency has to consider many factors when planning such a digital transformation. Chief among these is the organization’s Identity and Access Management (IAM) policies and procedures.
“The key risk of ignoring IAM while going through a digital transformation is data loss,” said Shane Cashdollar, a federal advisory director at KPMG. “It’s easy to think of a move to the cloud as just a move to another server, but really it’s moving data, , customer information, employee information and other sensitive elements to the cloud. It’s on the internet now, and without reassessing Access Management organizations will face a number of problems. Digital transformation efforts truly establish the notion of ‘Identity is the new perimeter.’”
Simply managing logins is only part of the challenge. Cashdollar added, “You can and should use multi-factor authentication. The risks, while lessened, are still there when data is moving to and from the cloud. Organizations need to consider all the ways that their employees are getting to the data and then reassess. A modernization effort requires examination of the legacy IAM processes, not just the technology for a potential fit.”
One Size Does Not Fit All
There are many Cloud Access Security Brokers (CASBs) available to address many IAM-related issues. However, care must be taken not to implement such a tool in a vacuum since it is unlikely to be a perfect fit for your organization’s needs.
“All CASB tools are somewhat in their infancy,” said Cashdollar, “they are new and even the general concepts of what they are doing are still being developed. These tools have their strengths, and each one has its place, but there is a need to determine the strengths and weaknesses of those tools and where the gaps are that may need to be addressed through other methods.”
There may be CASB tools out there that are right for a particular situation, but only if they align with existing IAM tools, policies and processes.
Out With the Old
Often an agency is considering a move to the cloud, but is still using a much older IAM process. These legacy systems might not be able to handle the change in platform, and may even end up becoming a security risk. In contrast, adopting newer tools will have many advantages.
“The number one advantage of migrating away from legacy IAM tools is ease of operation and maintenance,” said Cashdollar. “Some of the big products of the past like CA Siteminder and Oracle IAM Stacks are big and cumbersome and they’re really struggling to support the applications of today. So they maybe support SAML, but if we’re trying to move into OIDC and OAuth, standards that are better and newer, and those tools don’t support them in the same way.”
“In addition,” Cashdollar goes on, “there is much cheaper operation and maintenance in new IAM systems. Many of these are ‘as a service’ systems, so you can leverage the expertise of the vendors themselves to operate and maintain those systems, and off-load that responsibility from your own team. Also, they’re designed to work with these new cloud systems and the more modern applications that come with them.”
You Are Not Alone
While digital transformation is a daunting task for any government organization, it doesn’t have to be like re-inventing the wheel. “There is help available for agencies that are looking at changing their IAM along with a move to the cloud,” offered Cashdollar. There are troves of information in repositories like the General Services Administration’s IT Modernization Centers of Excellence and DHS’s Continuous Diagnostics and Mitigation Program. These and others can help guide an agency on its journey to the cloud.
Also, there may be information to be had through other avenues. “You don’t have to just figure it out for yourself, or even hire someone to figure it out for you,” added Cashdollar. “Ask around to other agencies and see what these programs can offer your agency. There are a lot of shared services through those programs, so instead of rebuilding, you can leverage something that is already out there.”